No Contact Normal: Solving the Payment Security Gap

The coronavirus crisis is changing human behavior. From the persistent need for social distancing to the potentially permanent adoption of work-from-home mandates, the “new normal” is uncharted territory.

But the growing priority of public health also has knock-on effects in other fields, such as credit and debit payments. While the United Stated has historically lagged behind other countries such as Canada, the United Kingdom and Australia when it comes to the adoption of contactless card transactions, the demand for physical distance now trumps the functional familiarity of swipe-and-signature or chip-and-PIN interactions.

Facilitating “no contact normalcy”, the PCI Security Standards Council (PCI SSC) includes guidance for both commercial deployments and software applications to help solve potential payment security gaps. Here’s what you need to know.

Controlling the COTS of Doing Business

Commercial off-the-shelf (COTS) devices are often the simplest way for retailers to accept contactless payments. Using an embedded near field communication (NFC) reader, COTS solutions are easily integrated with existing POS technology and allow merchants to immediately accept contactless payments from customers with NFC-enabled cards or supported smartphone applications.

The PCI Contactless Payments on COTS (CPoC) standard defines critical security requirements for these devices to ensure consumer payment card information is securely captured, handled and processed. CPoC-compliant solutions include three key elements:

  • A COTS device with an embedded NFC interface capable of reading payment card or payment device data. According to the CPoC standard, the COTS device must have online connectivity to support back-end systems interaction and the PCI SSC recommends the use of a trusted execution environment (TEE) or secure element (SE) that provides hardware-based protections along with cryptographic operations, key management and trusted application hosting.
  • PCI DSS-validated payment acceptance software running on merchant COTS systems. This application must provide a channel to the embedded NFC device, perform initial data encryption and contain software protection mechanisms to maintain its integrity against malicious attacks. In addition, organizations must be able to demonstrate that the app was developed “with security concepts and activities throughout the entire software lifecycle.”

In addition, “It is assumed that an attacker has full access to the software that executes on any unknown or untrusted platform, where that software may be a binary executable, interpreted bytecode, or other form as it is loaded onto the platform. Therefore, the software is to provide inherent protections that resist reverse-engineering of and tampering with the code execution flow. These protections may include, but are not limited to, the use of code obfuscation, internal integrity checks for code and processing flows, and code segment encryption.”

  • Independent back-end systems that support ongoing integrity checks, payment processing and transaction monitoring, and are also capable of handling attestation health-check data from CPoC-approved applications.

Put simply? Deploying a COTS solution to meet emerging contactless payment demands isn’t enough in isolation — it must meet CPoC standards for trusted digital environments, robust software protection and arm’s-length backend processing and monitoring controls.

Deploying 3-D Security

In addition to COTS guidance for vendors and retailers, PCI DSS security requirements also detail the requirements for creating software development kits (SDKs) that satisfy the council’s 3-D Secure (3DS) standard. For 3DS SDK products to receive PCI DSS approval, they must satisfy three security objectives:

  • Protecting the Integrity of the 3DS SDK

This objective includes regular security checks to determine if the device being used is rooted or jailbroken, an emulator is being used to run the 3DS SDK, the app has been tampered with or a debugger is attached. The software must also check to ensure its installation came from an approved source and monitor its run-time integrity to identify potential tampering, along with deploying string and code obfuscation tools and techniques to prevent reverse engineering.

  • Safeguarding Sensitive 3DS SDK Elements

Secure 3DS SDK software must also collect and clear sensitive data elements and ensure that any third-party elements used are both well-documented and justified. In addition, software must include protections for UI and HTML rendering along with active defenses against external code or script execution.

  • Using Cryptography Effectively and Appropriately

Finally, 3DS SDKs must use approved cryptographic algorithms and methods listed in the EMV 3-D Secure SDK Specification and ensure random number generators meet industry standards for unpredictability.

Delivering Defense at a Distance

As contactless payments become standard operating procedure across the country, vendors and retailers need COTS solutions that meet or exceed CPoC expectations for hardware and software defense to ensure consumer payment data is protected. Developers working to satisfy growing demands for PCI DSS-compliant SDKs, meanwhile, must ensure they satisfy 3DS standards for integrity, element security and cryptography.

In both cases, defense at a distance starts with software. By deploying advanced tools and techniques around app shielding, hardening and obfuscation, developers and device makers not only improve peace of mind for consumers but ensure emerging COTS and SDK solutions are capable of frustrating attacker efforts to combat contactless cybersecurity.

Current crisis conditions have created ripple effects across the retail and software development industries as no contact becomes the new normal for credit and debit payments. But with changing payment mandates come potential security gaps — by pairing new PCI DSS standards with advanced in-app protection solutions, organizations can move proactively to close the distance between contact-free payments and effective protection.

Resources:

To learn more about how PreEmptive can quickly and effectively secure your apps and data, see https://www.preemptive.com/application-hardening.